CVE-2016-4657 walk-through and intro to browser exploitation

Discussion in 'Switch - Hacking & Homebrew' started by parrotgeek1, Mar 13, 2017.

  1. parrotgeek1
    OP

    Newcomer parrotgeek1 Member

    Joined:
    Dec 2, 2012
    Messages:
    48
    Country:
    United States


  2. iAqua

    Member iAqua GBAtemp Addict

    Joined:
    Dec 7, 2015
    Messages:
    2,213
    Country:
    Canada
    ;), Well that was fast.
     
  3. jupitteer

    Member jupitteer GBAtemp Lurker

    Joined:
    Feb 17, 2017
    Messages:
    256
    Location:
    Hell
    Country:
    Antarctica
    damn, can't wait for userland. Wanna play dem emulators.
     
    alpmaster likes this.
  4. AecdArmy

    Member AecdArmy Because Its Nintendo

    Joined:
    Jan 4, 2016
    Messages:
    475
    Location:
    The Ninty Ninja HQ
    Country:
    Australia
    Give it a bit we need a DEP Bypass first :P
     
    alpmaster and mark.m.moran like this.
  5. jupitteer

    Member jupitteer GBAtemp Lurker

    Joined:
    Feb 17, 2017
    Messages:
    256
    Location:
    Hell
    Country:
    Antarctica
    Yep, but it's still great to see progress so quickly.

    — Posts automatically merged - Please don't double post! —

    At this rate, the switch will be hacked before we get sighax.
     
  6. studio1b

    Newcomer studio1b Member

    Joined:
    Mar 14, 2009
    Messages:
    37
    Location:
    NEW YORK CITY
    Country:
    United States
    keep it up :) great news
     
    alpmaster and mark.m.moran like this.
  7. TheCyberQuake

    Member TheCyberQuake Certified Geek

    Joined:
    Dec 2, 2014
    Messages:
    2,216
    Location:
    Las Vegas, Nevada
    Country:
    United States
    Remember to keep in mind that they still have to develop a format for homebrew as well, along with tools to develop the homebrew (or sdk leaks). Kinda like how the 3ds has it's .3dsx format
     
    alpmaster likes this.
  8. Sasori

    Member Sasori GBAtemp Maniac

    Joined:
    Jan 28, 2015
    Messages:
    1,315
    Country:
    United States
    I have taken the liberty of recording this webpage in action in case anyone is curious as to what it does currently without sitting through an 18 minute video
     
  9. AecdArmy

    Member AecdArmy Because Its Nintendo

    Joined:
    Jan 4, 2016
    Messages:
    475
    Location:
    The Ninty Ninja HQ
    Country:
    Australia
    Its kinda weird last night I finished the whole thing saying the switch will now crash now I get up to that part only then it crashes...
     
  10. Sasori

    Member Sasori GBAtemp Maniac

    Joined:
    Jan 28, 2015
    Messages:
    1,315
    Country:
    United States
    It depends on how the script runs I assume since it doesnt even have a 100% success rate. I noticed it should have said that for me as well.
     
  11. Hillary_Clinton

    Newcomer Hillary_Clinton Member

    Joined:
    Apr 23, 2016
    Messages:
    23
    Country:
    United States
    always crashes before the end for me
     
  12. Sasori

    Member Sasori GBAtemp Maniac

    Joined:
    Jan 28, 2015
    Messages:
    1,315
    Country:
    United States
    It's supposed too
     
  13. Hillary_Clinton

    Newcomer Hillary_Clinton Member

    Joined:
    Apr 23, 2016
    Messages:
    23
    Country:
    United States
    What I mean is, it doesn't get to the part where it's supposed to alert "smash.length is now: 0x1337"

    It should get there before crashing.
     
  14. Sasori

    Member Sasori GBAtemp Maniac

    Joined:
    Jan 28, 2015
    Messages:
    1,315
    Country:
    United States
    You installed/set it up wrong. If you want to test a working version set your DNS to go too http://dnswitch.redthetrainer.com/

    Once there click "tap to test webkit"
     
  15. Hillary_Clinton

    Newcomer Hillary_Clinton Member

    Joined:
    Apr 23, 2016
    Messages:
    23
    Country:
    United States
    Still crashes after the first two alerts. :huh: Is it working any better for you?
     
  16. Sasori

    Member Sasori GBAtemp Maniac

    Joined:
    Jan 28, 2015
    Messages:
    1,315
    Country:
    United States
    Like I said. Its supposed to crash. You can see so in my video above as well.
     
  17. Hillary_Clinton

    Newcomer Hillary_Clinton Member

    Joined:
    Apr 23, 2016
    Messages:
    23
    Country:
    United States
    But it's not supposed to crash; if you watch the first video, he gets all the way through. What I think you're saying is: this is expected behavior since it's just a really touchy exploit?

    Edit: It sometimes makes it to the "misaligned" alert.
     
    Last edited by Hillary_Clinton, Mar 13, 2017
  18. Sasori

    Member Sasori GBAtemp Maniac

    Joined:
    Jan 28, 2015
    Messages:
    1,315
    Country:
    United States
    The same exact thing happens in the video he crashes. You're crashing because it doesn't do anything yet and is just a POC. You won't be pirating games or using homebrew with this right now. This "exploit" won't do anything other then crash your system
     
    Subtle Demise likes this.
  19. Hillary_Clinton

    Newcomer Hillary_Clinton Member

    Joined:
    Apr 23, 2016
    Messages:
    23
    Country:
    United States
    Yes, it's a proof of concept, but a critical part of the proof is seeing that the length changed, and I'm not reaching that alert. So this makes me curious exactly what his setup was, if he was reliably having success.

    Edit: Okay, now if I set up my server with his exact files freshly unzipped from his github master (not just poc1.html but also his index.html which redirects to it), then I am able to get to the end of the PoC reliably.
     
    Last edited by Hillary_Clinton, Mar 13, 2017
    Subtle Demise likes this.
  20. gudenau

    Member gudenau Never a unique idea

    Joined:
    Jul 7, 2010
    Messages:
    3,143
    Location:
    /dev/random
    Country:
    United States
    New to find gadgets and such. ^^

    Edit:
    Got to love use after free exploits. So fun.
     
    Last edited by gudenau, Mar 13, 2017
    alpmaster likes this.

Share This Page